Presentation is loading. Please wait.

Presentation is loading. Please wait.

The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009.

Published byBarry Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009."— Presentation transcript:

1 The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009

2 What is VOMS VOMS is… –An Attribute Authority. –A VO Management System. –A source of trust for authorization. VOMS is not… –A policy system. –An AuthN/AuthZ framework.

3 VOMS: The problem In a grid environment, VOs tend to be extremely large and change frequently. –Hundreds or even thousands of users. Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. It is not scalable to manage them by hand

4 VOMS: The solution Organize users into groups and grant them roles. –Allows for full Role Based Access Control authorization. Also, adds other general-purpose attributes.

5 VOMS Architecture VOMSDB VOMS-ADMIN Secure

6 Who uses VOMS? voms.gridpp.ac.uk 19 VOs, –301 users –2 servers

7

8 DPM, dCache, SRM what are they Storage Element: DPM and dCache – disk caching front­end – End user interface to write and read cached files Storage Resource Manager –Provides a consistent interface to underlying storage systems.

9 Tier2 SE Combine hundreds of commodity disk servers to get a huge terabyte scale data store Storage site gains increased fault tolerance Allows several copies of a single file for distributed data access Internal load balancing using cost metrics and transfers between the site's pools Automatic file replication on high load (dCache)

10 Manchester Tier2 SE Combines about 160 TB of disk space on 900 nodes Maintained and monitored around the clock Upgrading and tuning annually

11 This year plans New storage hardware installation Migration from dCache to DPM Improving and tuning of the DPM/dCache performance via configuration Monitoring and automation of the cluster maintenance including SE's, Computer Elements VOMS etc.

12 Thank you

13 VOMS data format Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. –The exact profile is described here: https://forge.gridforum.org/sf/go/doc13797?nav=1 –ACs are the natural choice in a X.509 world. The grid is a X.509 world. The provided clients insert the AC in a non-critical extension of the user proxy. –Immediate compatibility with non-VOMS aware software.

14 What is a proxy? A proxy is a short-lived certificate that has as issuer a user certificate. –Standardized in RFC 3820. –Commonly used throughout the grid for authentication and authorization purposes.

15 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Subject

16 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s issuer

17 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Certificate’s subject

18 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Type of proxy

19 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s key strength

20 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Location

21 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s validity

22 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 VO Name

23 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Data

24 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Group membership

25 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 General-Purpose attributes

26 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 AC validity

Download ppt "The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009."

Similar presentations

LCG Tiziana Ferrari - SC3: INFN installation status report 1 Service Challenge Phase 3: Status report Tiziana Ferrari on behalf of the INFN SC team INFN.

LCG Tiziana Ferrari - SC3: INFN installation status report 1 Service Challenge Phase 3: Status report Tiziana Ferrari on behalf of the INFN SC team INFN.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
High Availability Group 08: Võ Đức Vĩnh50703006 Nguyễn Quang Vũ50703033.

High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.

11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.

Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
16 th May 2006Alessandra Forti Storage Alessandra Forti Group seminar 16th May 2006.

16 th May 2006Alessandra Forti Storage Alessandra Forti Group seminar 16th May 2006.
YAN, Tian On behalf of distributed computing group Institute of High Energy Physics (IHEP), CAS, China CHEP-2015, Apr. 13-17th, OIST, Okinawa.

YAN, Tian On behalf of distributed computing group Institute of High Energy Physics (IHEP), CAS, China CHEP-2015, Apr th, OIST, Okinawa.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Similar presentations

Ads by Google